This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author martin.panter
Recipients Thomas, martin.panter, paul.moore, phihag, steve.dower, tim.golden, xiang.zhang, zach.ware
Date 2016-03-28.23:02:37
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1459206158.07.0.62015963299.issue26657@psf.upfronthosting.co.za>
In-reply-to
Content
Thomas: can you point to the “warning that those modules are not secure in the module docs”? All I can see is a warning in the pydoc output for http.server.__doc__, but that is specifically about the CGI server.

The specific bug with allowing c:c:c:.. looks like it would have been triggered by fixing Issue 19456. If so, 2.7 would also be affected.

The whole translate_path() algorithm looks over-complicated to me. One quick idea that comes to mind is to skip (or diagnose) each whole URL path component if there is any drive, directory etc syntax present, rather than making an attempt to strip it off. Perhaps check with os.path.dirname() or pathlib’s is_reserved().

One other thing I have wondered about, but I don’t know Windows well enough to be sure. Shouldn’t there be some protection against accessing special files like <http://127.0.0.1:8000/con.fusion>?

Ideally, I would like to see a common function somewhere to do this kind of path validation and conversion. There are other places even in the standard library where this is needed, which I mentioned at <https://bugs.python.org/issue21109#msg216675>.
History
Date User Action Args
2016-03-28 23:02:38martin.pantersetrecipients: + martin.panter, paul.moore, tim.golden, phihag, zach.ware, steve.dower, xiang.zhang, Thomas
2016-03-28 23:02:38martin.pantersetmessageid: <1459206158.07.0.62015963299.issue26657@psf.upfronthosting.co.za>
2016-03-28 23:02:38martin.panterlinkissue26657 messages
2016-03-28 23:02:37martin.pantercreate